From 8e0a030085b0a6cbd64f01b886299ad970ec03c9 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Sat, 1 Jun 2024 03:42:04 +0300
Subject: [PATCH] modules/yubikey: add support of yubico pam

---
 hosts/asus-gl553vd/configuration.nix        |  6 +-
 modules/nixos/configs/lockscreen/i3lock.nix |  2 +-
 modules/nixos/configs/yubikey.nix           | 75 ++++++++++++++++-----
 3 files changed, 63 insertions(+), 20 deletions(-)

diff --git a/hosts/asus-gl553vd/configuration.nix b/hosts/asus-gl553vd/configuration.nix
index 14ccd19..9da537f 100644
--- a/hosts/asus-gl553vd/configuration.nix
+++ b/hosts/asus-gl553vd/configuration.nix
@@ -7,7 +7,11 @@
     ./users
   ];
 
-  local.yubikey.enable = true;
+  local.yubikey = {
+    enable = true;
+    serial = "28058247";
+    unplug.enable = true;
+  };
 
   ################################################################################
   # Services
diff --git a/modules/nixos/configs/lockscreen/i3lock.nix b/modules/nixos/configs/lockscreen/i3lock.nix
index 6dc39ac..a5e9eab 100644
--- a/modules/nixos/configs/lockscreen/i3lock.nix
+++ b/modules/nixos/configs/lockscreen/i3lock.nix
@@ -11,7 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     programs.i3lock = {
       enable = true;
-      u2fSupport = lib.mkDefault config.local.yubikey.enable;
+      u2fSupport = lib.mkDefault config.security.pam.u2f.enable;
     };
 
     programs.xss-lock.enable = true;
diff --git a/modules/nixos/configs/yubikey.nix b/modules/nixos/configs/yubikey.nix
index b0ae12e..c0b16dc 100644
--- a/modules/nixos/configs/yubikey.nix
+++ b/modules/nixos/configs/yubikey.nix
@@ -1,32 +1,71 @@
 { config, lib, pkgs, ... }:
 
-let cfg = config.local.yubikey; in
+let
+  cfg = config.local.yubikey;
+
+  control = if cfg.multi-factor.enable then "required" else "sufficient";
+in
 {
   options.local.yubikey = with lib; {
     enable = mkEnableOption "yubikey";
+
+    serial = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+
+    multi-factor.enable = mkEnableOption "multi-factor" // { default = true; };
+
+    unplug = {
+      enable = mkEnableOption "Do action when a Yubikey is unplugged";
+      model = mkOption {
+        type = types.str;
+        default = "407";
+      };
+      command = mkOption {
+        type = types.str;
+        default = "${pkgs.systemd}/bin/loginctl lock-sessions";
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.yubikey-manager pkgs.yubikey-personalization ];
 
-    security.pam.u2f = {
-      enable = true;
-      control = "required";
-      cue = lib.mkDefault true;
-    };
+    security.pam =
+      if cfg.serial == null then
+        {
+          u2f = {
+            enable = true;
+            inherit control;
+            cue = lib.mkDefault true;
+          };
 
-    services.udev.packages = [ pkgs.yubikey-personalization ];
-    security.pam.services = {
-      login.u2fAuth = true;
-      sudo.u2fAuth = true;
-    };
-    services.pcscd.enable = true;
+          services = {
+            login.u2fAuth = lib.mkDefault true;
+            sudo.u2fAuth = lib.mkDefault true;
+          };
+        }
+      else
+        {
+          yubico = {
+            enable = true;
+            inherit control;
+            mode = "challenge-response";
+            id = [ cfg.serial ];
+          };
+        };
 
-    services.udev.extraRules = lib.mkIf config.programs.xss-lock.enable ''
-      ACTION=="remove",\
-       ENV{DEVTYPE}=="usb_device",\
-       ENV{PRODUCT}=="1050/402/543",\
-       RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
-    '';
+    services.pcscd.enable = cfg.serial != null;
+
+    services.udev = {
+      packages = [ pkgs.yubikey-personalization ];
+      extraRules = lib.mkIf cfg.unplug.enable ''
+        ACTION=="remove",\
+         ENV{DEVTYPE}=="usb_device",\
+         ENV{PRODUCT}=="1050/${cfg.unplug.model}/543",\
+         RUN+="${cfg.unplug.command}"
+      '';
+    };
   };
 }